By Neil Johnson

The Real Crisis of US Election Security

The ballot box is the foundation of any democracy. It’s not too grand to say that if there’s a failure in the ballot box, then democracy fails.

The Crisis of Election Security, by Kim Zetter, New York Times

With the United States midterm elections less than a month away, it’s now abundantly clear that the US election systems are vulnerable to attack, despite previous, laudable cybersecurity efforts. In fact, the US midterm elections are already under attack, via false or misleading stories posted and shared on social media, known as disinformation attacks. As the election date approaches and these systems are subjected to further scrutiny, it’s obvious that the US election infrastructure is also vulnerable to more serious subversion attacks, where digital components of the election systems (such as voting machines, voter registration databases, vote tabulation and reporting servers) are targeted and compromised to alter or manipulate the actual casting of ballots and tabulation of results.

How did the US reach this crisis point, where this critical infrastructure is now so vulnerable that every election now seems like a gamble on the very integrity of democracy? Why does the security of these critical systems seem so poor and unreliable? Is there any way to remedy this threat to the most fundamental building block of a healthy democracy, a secure and reliable voting system?

Protecting digital election systems from cyber attacks requires open source software and security audits

US election systems are inherently vulnerable. Query whether proprietary voting machines can thwart subversion attacks.

A brief history of digital voting vulnerabilities

In the recent feature article in the New York Times, The Crisis of Election Security, author Kim Zetter traces the history of electronic voting in the US, from the controversial 2000 presidential election between Bush and Gore to today, and illuminates how the problems developed over the last two decades to reach the current crisis:

The real problems were the machines used to cast and tally votes and the voter-registration databases the Russians had already shown interest in hacking. The entire system — a Rube Goldberg mix of poorly designed machinery, from websites and databases that registered and tracked voters, to electronic poll books that verified their eligibility, to the various black-box systems that recorded, tallied and reported results — was vulnerable.”

The US Federal government has not been idle in the face of these threats, but the response to date has been inadequate, “largely Band-Aid measures [that] don’t address core vulnerabilities in voting machines or the systems used to program them,” says Zetter.

Fixes inhibited by proprietary election software

These problems aren’t new in US election systems, nor are they limited to the US. Why haven’t election officials been able to fix them? Even if they could, is it their responsibility to do so? The primary reason, says Zetter, is proprietary election software:

The voting machines are made by well-connected private companies that wield immense control over their proprietary software, often fighting vigorously in court to prevent anyone from examining it when things go awry.

Presidential candidate John Kerry ran headlong into this after he lost the 2004 presidential race, “following numerous election irregularities,” notes Zetter, notably in Ohio. Determined to find out what exactly had happened, Kerry’s team asked to audit Ohio’s voting-machine software, but were denied access. Kerry explained in a recent interview on WNYC’s “Brian Lehrer Show.”

We were told by the court that you were not able to get that algorithm to check it, because it was proprietary information … the purview of privately owned machines, where the public doesn’t have the right to know whether the algorithm has been checked or whether they’re hackable or not. And we now know they are hackable.

Problems with current voting machines

Today, three privately held commercial companies — Dominion, ES&S and Hart InterCivic — control 80% of the approximately 350,000 voting machines in use in the US.

The voting machine industry is profitable, with around $300 million in annual revenue, but the industry “has long been as troubling as the machines it makes, known for its secrecy,” explains Zetter.

Not only do these companies fight every effort to audit the software that runs their machines, but they continue to sell the same flawed machines with the same security holes. These voting machines fall into one of two categories: optical-scan machines or direct-recording electronic machines. Each of them suffers from significant security problems.

Zetter identifies the problems with the current optical-scan machines, where voters fill out paper ballots, which are fed into the optical scanners that create a digital image of the ballot and records the votes on a removable memory card. This approach seems pretty secure, since “the paper ballot, in theory, provides an audit trail that can be used to verify digital tallies,” says Zetter.

But there are serious problems with optical scan machines. Zetter explains:

  • “Not all states perform audits, and many that do simply run the paper ballots through a scanner a second time”
  • “Fewer than half the states do manual audits, and they typically examine ballots from randomly chosen precincts in a county, instead of a percentage of ballots from all precincts”

At least optical scanners require a paper ballot to function. Direct-recording election machines (DREs) use touch screens so voters select from digital-only ballots. DREs store votes electronically; many will also print a “voter-verifiable paper audit trail — a scroll of paper, behind a window, that voters can review before casting their ballots,” says Zetter. Sounds secure, but she points out the many security holes:

  • “a hacker could conceivably rig the machine to print a voter’s selections correctly on the paper while recording something else on the memory card.”
  • “Five states still use paperless DREs exclusively, and an additional [thirteen] states use paperless DREs in some jurisdictions.” (see the Notes, below, for a list of the 18 states that use some kind of paperless DRE machines.)

In fact, even with an extensive paper trail of printed ballots,

states don’t conduct robust post election audits — a manual comparison of paper ballots to digital tallies is the best method we have to detect when something has gone wrong in an election — and there’s a good chance we simply won’t know if someone has altered the digital votes in the next election.

Problems with the US voting infrastructure

Not only does each type of voting machine come with its own set of security flaws (made much worse because the companies block security audits of their code) but there are other vulnerabilities that all of the commercial voting machines share. Zetter notes that hackers can:

  • “access voting machines via the cellular modems used to transmit unofficial results”
  • “subvert back-end election-management systems … and spread malicious code to voting machines through them”
  • “design their code to bypass pre-election testing and kick in only at the end of an election … and erase itself afterward to avoid detection”
  • “produce election results with wide margins to avoid triggering automatic manual recounts”

She continues:

many voting machines that elections officials insist are disconnected from the internet — and therefore beyond the reach of hackers — are in fact accessible by way of the modems they use to transmit vote totals on election night.

If an attacker wanted to alter election results, they would most likely focus on these critical points in the election process: the computers that tally votes.

Once again, the voting machine vendor’s insistence on protecting their proprietary code from scrutiny, security audits, and testing means the chances of these types of hacks increases, and there’s no way to even tell if their voting machines have been compromised.

Voting machine companies already potentially compromised

We already know that these commercial voting machine companies have made many security mistakes. For instance,

Last year a security researcher stumbled across an unsecured ES&S server that left passwords exposed for its employee accounts … a malicious actor able to get into ES&S’s network could conceivably corrupt these files.

But even when these security problems come to light, Zetter continues, “researchers face hostility and sometimes even legal threats from vendors, who want to prevent them from finding and exposing problems with the machines.”

What’s the solution?

Some people have advocated the idea of banning digital voting machines altogether. But Zetter notes,

computers had been used in elections ever since the 1960s, when punch cards and computerized card readers and tabulators were introduced. And experts had been warning for just as long about the danger of placing too much trust in them.

Since then, the use of machine readable paper ballots has proven again and again to be an essential part of a secure backup and paper trail that facilitates audits of election results.

Despite all the difficulties and security holes that digital voting machines have introduced, these machines have also demonstrated clear benefits. “Even the problematic DRE machines offered many advantages,” says Zetter:

With direct recording, counties no longer had to print hundreds of thousands of paper ballots or store them for 22 months after a federal election, as federal law required. And the machines could be adapted to voter needs, by displaying digital ballots in multiple languages and font sizes. They also satisfied the accessibility requirement … offering Braille keyboards, audio instruction and other aids for physically impaired voters.

Is there any way to realize the benefits of electronic voting systems without undermining the reliability and integrity of a country’s election system?

Public software: open source; open for audits

The biggest problems with proprietary voting machines are related to the fact that they are proprietary:

  • Commercial voting machine companies don’t want outsiders, like security researchers, viewing or auditing their proprietary code.
  • Because their voting machines run on proprietary software, the machines are expensive, difficult to service, and again, the commercial vendors are reluctant to allow audits or reviews of their hardware.

There is a simple solution, and it’s the idea behind the TrustTheVote™ Project: build voting systems on a foundation of public (open-source) software. Public software is simply a computer program that opens its source code for review and audits, often available to use, modify or extend free of charge.

Most public software is licensed in a way that ensures that any enhancements or repairs added into the original code is available to use under the same “open source” license. This means that anyone, at any time can analyze, review, or scrutinize the quality, reliability, and security of the open source (public) software.

By using public software to run election administration and voting machinery, election officials ensure that security researchers and computer experts can audit every aspect of public voting system software — and in most cases, the associated hardware.

The OSET Institute argues that, given election technology is now designated as critical infrastructure by the Department of Homeland Security, there is no logical business advantage to hiding the software from auditors, or to use expensive and proprietary hardware to build the voting systems.

Furthermore, using proprietary (instead of public) software for critical election infrastructure effectively makes it impossible for the public, who depends on the integrity of these systems, to verify that the proprietary software works correctly and has not been compromised.

Advantages of public software for voting systems

What are the advantages of the public (open source) software approach of the TrustTheVote Project?

  • Security researchers, election officials, and concerned citizens can audit and verify the integrity of public (open source) software used in election systems and voting machines.
  • Other public (open source) software projects, like Linux™, already run a significant portion of enterprise computing networks today and the vast majority of the global Internet’s critical infrastructure. This means that the open source software (OSS) model is proven and continually tested. There are many examples of OSS projects that are commercially viable, well supported, and offer demonstrated security advantages. Some examples include the Apache™ web server deployed for a majority of web sites worldwide; the Android mobile operating system powering a significant portion of smartphones; and thousands of other OSS projects.
  • Governments all over the world use OSS for information systems, including mission-critical applications within aerospace, finance, and national defense systems.
  • When security flaws are detected in open source software, fixes or patches can be published as soon as possible. With proprietary software, on the other hand, there can be business reasons and risks for the companies that produce and sell the software to obscure and in some cases even deny the existence of any such problems.
  • There are many examples of companies that have published flawed proprietary software, and then attempt to make internal fixes to protect sales, before their customers learn about these software flaws. In some cases, this reluctance to publicize problems with proprietary software creates a significant security risk for the customers who paid to license the software. OSS presents no such incentive to hide its flaws, since the source code is already open for scrutiny (of course, this assumes, but is often the case, than many eyes are scrutinizing).

There’s nothing more critical to defending democracy than ensuring the security and integrity of its election administration and voting systems. Public election software is the best way to ensure that critical election technology infrastructure can be robust and reliable. This is precisely because public software is open to the scrutiny required to ensure the integrity of the voting machines and election systems that are the foundation of a trustworthy election.

As Kim Zetter observes, however, the commercial voting system manufacturers have lobbied for their proprietary election solutions, replete with their hidden vulnerabilities, to become the standard for US elections. And of course, it would be in their best business interest to pursue such.  However, there’s no reason this should be the case, and there’s a better option: projects like the TrustTheVote™ Project, based on public, open source election software, subjected to peer-review, the scrutiny of security and software experts, and the very public this software serves.

Learn how you can support the TrustTheVote Project and make a difference in the integrity of your election system. Get involved, or donate now.

Sign up now to receive updates and new articles about voting security delivered to your inbox:

End Note

Five (5) states use DRE machines with no paper trail whatsoever: Delaware, Georgia, Louisiana, New Jersey and South Carolina; 13 states use DREs with no paper train in some jurisdictions: Arkansas, Delaware, Georgia, Indiana, Kansas, Kentucky, Louisiana, Mississippi, New Jersey, Pennsylvania, South Carolina, Tennessee and Texas.

Will foes attack the U.S. midterm elections in 2018?

The U.S. midterm elections are less than 50 days away. There are many reasons to be concerned that some adversaries of the United States will attempt, again, to sow chaos in the upcoming U.S. election, and undermine the legitimacy of these contests.

Christine Santoro,Foreign adversaries, like Putin's GRU, are attacking US election systems Esq., (Chief Legal Officer, OSET Institute) in her Sep. 20th, 2018 article, Will Foreign Adversaries Attack U.S. Midterm Elections or Elsewhere?, analyzes the threat:

Most experts believe that Russia … will continue to interfere in U.S. elections on some level(s). Others are raising concerns about China and even Iran.

Three Types of Attacks

This interference will be in the form of three different types of attacks, first identified in OSET’s Critical Democracy Infrastructure Briefing. The three types of attacks are:

    1. Defamation: de-legitimizing elections by “using weaponized content or generating false content to undermine voters’ confidence in the election”
    2. Disruption: disrupting the election process, before or during voting, or afterwards to disrupt reporting of the election result. This type of attack is especially dangerous when accompanied by a defamation attack, as both combine to throw the legitimacy of the election into doubt even without altering the votes cast or tallied.
  1. Subversion is the “direct manipulation of [election] devices, machinery or systems .. the most dangerous and insidious type of attack.” This direct digital attack of voting machinery “will unlikely occur effectively at the ballot casting device but rather target tabulation and tally equipment.”

Attacks are happening now, and will increase

Already, Dan Coats, the Director of National Intelligence, has sounded the alarm regarding imminent and ongoing defamation attacks from Russia against the U.S.:

Russia is trying to spread propaganda on hot-button issues using social media … Moscow’s strategy is to exacerbate sociopolitical divisions … We continue to see a pervasive messaging campaign by Russia to try to weaken and divide the United States.

FBI Director Christopher Wray stated in August that Russian intelligence is focused on “malign influence operations,” which he called “information warfare.” Later that month, Facebook shut down over 30 pages and accounts with suspected ties to Russia.

The U.S. is not the only country whose elections are being targeted by Russian attacks:

What will happen in the 2018 U.S. midterms?

Counselor Santoro identifies the most likely attacks that will occur in the next two months:

  • Defamation attacks are happening now: “Russia continues to taunt the U.S. with Type-I attacks using disinformation, fake news, and instigation of social warfare on Facebook and other media sites.”
  • Disruption attacks are less likely: “the window for [voter registration attacks] may have passed … there [remains] possibility of attempts to hack election results sites.” Fortunately, “the official tabulation records and tabulators are not on-line,” so remain safe from Russian attacks, at least for now.
  • Subversion attacks are very unlikely, in part because this year is not a Presidential election year: “the stakes are not as lofty in the midterm elections, so foreign adversaries can afford to save their dry powder for this one.”

Although this sounds like relatively good news, the danger is, if anything, increasing:

Our foreign adversaries (again, in particular the Kremlin), are in for the very long game … they’re monitoring and preparing in the misguided belief they can successfully subvert our election and manipulate our government when the stakes are high enough in 2020.

What can we do to protect our election systems?

We aren’t helpless in the face of this gathering storm. But we must take action to protect U.S. electoral systems. Ms. Santoro identifies the most important steps we must take. Our voting systems must be:

  • completely rid of remote access capability
  • fortified with paper ballots of record” and
  • tabulation and tally devices must somehow become truly hardened

Beyond simply securing voting machines,

  • digital election infrastructure must be rebuilt “for higher integrity … driven by a new critical infrastructure mindset in terms of security-centric engineering.”

Although we know that Russia is currently pursuing defamation attacks against the U.S. election system, and will continue to do so until the 2018 midterms are concluded, we may be able to prevent the much more dangerous disruption and subversion attacks in 2020, but only if we start working now to secure the U.S. election infrastructure.

The OSET Institute‘s TrustTheVote Project addresses these issues with our modular ElectOS public software framework/platform, designed from the ground up to deliver verifiable, accurate, secure, and transparent (in process) elections.

More information and how you can help

Voter registration problems in Maryland signal larger vulnerabilities for upcoming elections

Binary data disappears in a dark hole

Voter registration data lost in Maryland

This Monday, state officials in Maryland acknowledged that problems with their “motor voter” systems are more significant than originally described:

[A]s many as 80,000 voters — nearly quadruple the original estimate — will have to file provisional ballots Tuesday because the state Motor Vehicle Administration failed to transmit updated voter information to the state Board of Elections.

— Up to 80,000 Maryland voters will have to file provisional ballots, state says (Washington Post. 6/25/18)

This announcement, made only hours before the polls opened for Maryland’s Tuesday primary, will mean more than just a minor inconvenience for the tens of thousands of voters affected. Sen. Joan Carter Conway (D-Baltimore City), chairwoman of the Senate Education, Health and Environment Committee, said that this situation will “confuse voters, suppress turnout, and disenfranchise thousands of Marylanders.”

Yet the significance of this programming error is broader still. Sen. Richard S. Madaleno Jr. (D-Montgomery), who is also running for governor of Maryland, called the incorrect registration of thousands of voters a “catastrophic failure.” In his statement, he continued, “The chaos being created by this failure subjects real harm to our most cherished democratic values,”

Is this election season hyperbole? Not at all, says John Sebes, Chief Technology Officer of the OSET Institute (the organization that runs the Trust The Vote project). In his recent article, Maryland Voter Registration Glitch: A Teachable Snafu, Mr. Sebes identifies the wide-ranging problems that will follow from these kind of disruptions at a larger scale:

If a foreign adversary can use cyber-operations to maliciously create a similar situation at large scale, then they can be sure of preventing many voters from casting a ballot.  With that disruption, the adversary can fuel information operations to discredit the election because of the large number of voters obstructed.

— John Sebes, OSET Institute

It is, in fact, the credibility of the entire election itself that is at stake. These kinds of technical problems don’t need to be the result of nefarious interference in the election process. Mr. Sebes continues,

The alleged system failure (hack, glitch, or whatever) doesn’t even need to be true!  If this accidental glitch had occurred a couple of days before the November election, and came on the heels of considerable conversation and media coverage about election hacking, rigging, or tampering then it would be an ideal opportunity for a claimed cyber-attack as the cause, with adversaries owning the disruptive effects and using information operations to the same effect as if it were an actual attack.

—  Maryland Voter Registration Glitch: A Teachable Snafu by John Sebes

Maryland is clearly vulnerable to this kind of attack on the credibility of their electoral process. Already, some are sounding the alarm that these voter registration problems weren’t identified quickly — plus, there’s no way to verify the process itself:

Damon Effingham, acting director of the Maryland chapter of Common Cause, said it was “preposterous” that it took MVA officials four days to figure out the extent of the problem and that there is no system to ensure that its system is working properly.

— Up to 80,000 Maryland voters will have to file provisional ballots, state says (Washington Post. 6/25/18)

What’s the solution?

John Sebes and the Trust The Vote project have spent years developing open source election software and systems to address these issues. But that alone isn’t sufficient. Mr. Sebes identifies the steps that election officials can take now to prevent the kind of problems that Maryland is experiencing this week:

  • “It’s partly a technology effort to re-engineer election systems to be less fragile from errors and less vulnerable to attack.”
  • “How to ensure the correctness and integrity of poll books[?] … that depends on emerging open data standards and the question of certification of poll books.”
  • “Given the great importance of public credibility … election officials must also plan for proactive public communication.”

Mr. Sebes concludes:

The Maryland glitch is not so much about failed integration of disparate data systems, but much more about unintentional catalyzing of opportunities to mount “credibility attacks” on elections and the need for a different kind of preparation.

Read the full article, Maryland Voter Registration Glitch: A Teachable Snafu by John Sebes, on the OSET Institute website.

The OSET Institute runs the TrustTheVote Project, a real alternative to nearly obsolete, proprietary voting technology. TrustTheVote is building an open, adaptable, flexible, full-featured and innovative elections operating system called ElectOS. It supports all aspects of elections administration and voting including creating, marking, casting, and counting ballots, as well as managing all back-office functions. Check out this overview of the TrustTheVote Project to learn more. If you’re involved in the election process, as an election official, or an academic or researcher, join the TrustTheVote Project as a stakeholder to help develop and deploy open, secure, reliable, and credible election technologies. If you’re concerned about the health of our election systems, you can donate or volunteer. If you have any questions about the TrustTheVote Project, contact us today.

The TrustTheVote Project supports EU privacy standards

TThe EU Flag snaps in the wind against a blue skyo prepare for the new General Data Protection Regulations (GDPR) for EU countries, the TrustTheVote Project web support team and OSET Institute Legal reviewed all of our data privacy and security policies to ensure that we meet (or exceed) the standards set by the GDPR. Data privacy and security is one of the foundational values of the TrustTheVote Project, and we want to be sure that we’re consistently applying best practices and principles.

We also believe it’s important to support and promote international norms for digital privacy. Although the OSET Institute is headquartered in California, our mission is global in nature, because verifiable, accurate, secure and transparent election technology is a mandate for all democracies, worldwide. Trust in elections depends on digital privacy and security. That’s why we support the principles of the GDPR, both all of our web properties, and in the software we build for safe and secure elections, ElectOS.

You can read our new Privacy Policy to see how GDPR compliance applies to this website. Please contact us if you have any questions about digital privacy, security, or how it applies to election technology.

More Information